August 2011: five Cisco vulnerabilities

The Cisco Product Security Incident Response Team (PSIRT) has published five important vulnerability advisories:

• Apache HTTPd Range Header Denial of Service Vulnerability
• Denial of Service Vulnerability in Cisco TelePresence Codecs
• Open Query Interface in Cisco Unified Communications Manager and Cisco Unified Presence Server
• Cisco Unified Communications Manager Denial of Service Vulnerabilities
• Denial of Service Vulnerabilities in Cisco Intercompany Media Engine

Apache HTTPd Range Header Denial of Service Vulnerability
The Apache HTTPd server contains a denial of service vulnerability when it handles multiple, overlapping ranges. Multiple Cisco products may be affected by this vulnerability.

Vulnerable Products
The following products are confirmed to be affected by this vulnerability:

• Cisco MDS 9000 NX-OS Software releases prior to 5.x are affected. Cisco MDS 9000 NX-OS Software releases 5.x and later are not affected.
• Cisco SAN-OS 3.x.
• Cisco TelePresence Video Communication Server (Cisco TelePresence VCS)
• All Cisco CTS TelePresence Systems
• Cisco Video Surveillance Manager (VSM)
• Cisco Video Surveillance Operations Manager (VSOM)
• Management Center for Cisco Security Agent. Cisco Security Agent (client software) is not affected.
• Cisco Wireless Control System (WCS)
• Cisco Wide Area Application Services (WAAS) Software
• Cisco Quad
• Cisco Network Collector
• Cisco Mobility Services Engine
• CiscoWorks Common Services
• CiscoWorks LAN Management Solution

Details
The Apache HTTPd server contains a denial of service vulnerability when it handles multiple overlapping ranges. Multiple Cisco products may be affected by this vulnerability.

Impact
Successful exploitation of this vulnerability could cause significant memory and CPU utilization on affected products. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b90d73.shtml

Denial of Service Vulnerability in Cisco TelePresence Codecs
Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs that are running software versions prior to TC4.0.0 or F9.1 contain a vulnerability that could allow an attacker to cause a denial of service.

Vulnerable Products
This vulnerability affects Cisco TelePresence MXP Series systems that are running software on the following codecs:

• 6000MXP
• 3000MXP
• 2000MXP
• 1700MXP
• 1000MXP
• 990MXP
• 880MXP
• 770MXP
• 550MXP
• Edge 75MXP
• Edge 85MXP
• Edge 95MXP

This vulnerability also affects Cisco TelePresence C Series Endpoints and E/EX Personal Video units that are running software on the following codecs:

• C20
• C40
• C60
• C90
• EX60
• EX90

Details
Software versions prior to TC 4.0.0 or F9.1 contain a vulnerability that could cause a crash of the device and result in a denial of service condition. This vulnerability is triggered by a crafted Session Initiation Protocol (SIP) packet that is sent to an affected device on port 5060 or 5061.

Impact
Successful exploitation of this vulnerability could result in a system crash that may lead to a denial of service condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b91395.shtml

Open Query Interface in Cisco Unified Communications Manager and Cisco Unified Presence Server
Cisco Unified Communications Manager (previously known as Cisco CallManager) and Cisco Unified Presence Server contain an open query interface that could allow an unauthenticated, remote attacker to disclose the contents of the underlying databases on affected product versions.

Vulnerable Products
The following products are affected by the vulnerability described in this advisory:

• Cisco Unified Communications Manager
• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x
• Cisco Unified Communications Manager 8.0
• Cisco Unified Communications Manager 8.5
• Cisco Unified Presence Server 6.x
• Cisco Unified Presence Server 7.x
• Cisco Unified Presence Server 8.0
• Cisco Unified Presence Server 8.5

Details
Cisco Unified Communications Manager and Cisco Unified Presence Server contain an open query interface that could allow an unauthenticated, remote attacker to disclose some or all of the data contained in the underlying databases. This data may include authentication credentials, configuration details, and other sensitive information.

To exploit this issue, an attacker must have the ability to open an SSL connection to an affected device via TCP ports 443 or 8443. A completed three-way TCP handshake is required to exploit this vulnerability.

Impact
Successful exploitation of the vulnerability may result in the full disclosure of the contents of the affected products underlying database. Contents may include authentication credentials, configuration details, and other sensitive information.

Because the vulnerability is restricted to read-only access, it can not be directly exploited to manipulate data held in the database. However, with the appropriate knowledge an attacker could leverage the obtained information to gain administrative access to the Web based management interface.

Link: http://www.cisco.com/…/security_advisory09186a0080b8f532.shtml

Cisco Unified Communications Manager Denial of Service Vulnerabilities
Cisco Unified Communications Manager contains five (5) denial of service (DoS) vulnerabilities. Two of the vulnerabilities described in this advisory also affect the Cisco Intercompany Media Engine.

Vulnerable Products
The following products are affected by at least one of the vulnerabilities that are described in this advisory:

• Cisco Unified Communications Manager 4.x
• Cisco Unified Communications Manager 6.x
• Cisco Unified Communications Manager 7.x
• Cisco Unified Communications Manager 8.x

Details
Cisco Unified Communications Manager contains five DoS vulnerabilities that could cause a critical process to fail, resulting in disruption of voice services.

• The first DoS vulnerability involves the Packet Capture Service which is enabled by default. The Packet Capture Service fails to timeout or close idle TCP connections. It is possible for a remote attacker to exhaust the Cisco Unified Communications Manager’s memory by opening multiple connections, which will cause Cisco Unified Communications Manager to restart.
• The second DoS vulnerability involves certain configurations of Media Termination Points (MTP). One-way audio may be observed when an MTP is configured with the g729ar8 codec only. In certain situations, an interruption in service may occur and a stack trace will be generated by the Session Initiation Protocol (SIP) process when processing the Session Description Protocol SDP portion of a SIP call.
• The third DoS vulnerability involves a coredump when processing certain SIP INVITE messages.
• The remaining two DoS vulnerabilities involve the Service Advertisement Framework (SAF). An unauthenticated attacker could exploit these vulnerabilities by sending crafted SAF packets to an affected device. Successful exploitation could cause the device to reload.

Impact
Successful exploitation of the vulnerabilities that are described in this advisory could result in the interruption of voice services. In certain instances, the affected Cisco Unified Communications Manager processes will restart, but repeated attacks may result in a sustained DoS condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b8f531.shtml

Denial of Service Vulnerabilities in Cisco Intercompany Media Engine
Two denial of service (DoS) vulnerabilities exist in the Cisco Intercompany Media Engine. An unauthenticated attacker could exploit these vulnerabilities by sending crafted Service Advertisement Framework (SAF) packets to an affected device, which may cause the device to reload.

Vulnerable Products
Cisco Intercompany Media Engine Software Release 8.0.x is affected by this vulnerability. Cisco Intercompany Media Engine Software Release 8.5.x is not affected. Cisco Unified Communications Manager Software Release 8.0.x is also affected by these vulnerabilities.

Details
Cisco Intercompany Media Engine is affected by two DoS vulnerabilities that an unauthenticated attacker could exploit by sending crafted SAF packets to an affected device. Successful exploitation could cause the device to reload.

Impact
Successful exploitation of these vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition.

Link: http://www.cisco.com/…/security_advisory09186a0080b8f533.shtml